This appendix documents OPSS system properties (set through the switch -D
at server start) and configuration properties (set with elements <property>
and <extendedProperty>
in the configuration file jps-config.xml
) in the following sections:
To manage server properties programmatically, use OPSS MBeans. For details and example, see Section E.2.3, "Programming with OPSS MBeans."
Note:
All OPSS configuration changes (manual or through JpsConfiguration MBean) require server restart to take effect.OPSS data domain changes do not require server restart to take effect. Data changes include modifying an application policy and creating, deleting, or updating a credential.
A system property that has been introduced or modified is not in effect until the server is restarted. In order to set a system property, the administrator must edit the setDomainEnv.sh
shell script and add the property to the environment variable EXTRA_JAVA_PROPERTIES
in that script.
Table F-1 lists the Java system properties available with OPSS.
Table F-1 OPSS System Properties
Name | Description |
---|---|
|
Specifies the location of the common components home. Required for both Java EE and Ja va SE applications. No default value. |
|
Notifies about a permission failure when the method JpsAuth.checkPermission is called inside a Subject.doAs block and the permission check fails. Note that setting jps.auth.debug or jps.auth.debug.verbose is not enough to get a failure notification in this case. Optional. |
|
Specifies the location of the Java security policy file. |
|
Controls the number of permissioncollectionmap entries kept in memory. Each entry corresponds with a set of permissions. For this setting to take effect, the property Optional. Valid values: a non-negative integer. Default value: |
|
Enables or disables the delegation of calls to JDK API AccessController.checkPermission, which reduces runtime and debugging overhead. Optional. Valid values: No default value. |
|
Controls server logging output. Default value: FALSE. For details, see Section K.1.2.1, "jps.auth.debug." Optional. |
|
Controls server logging output. Default value: FALSE. For details, see Section K.1.2.2, "jps.auth.debug.verbose." Optional. |
|
Enables or disables the caching of a subject's protection domain. Optional. Valid values: Default value: |
|
Enables or disables the evaluation of a subject's protection domain when a check permission is triggered. Optional. Valid values: Default value: |
|
Controls the number of combinermap entries kept in memory. Each entry corresponds with a set of principals. For this setting to take effect, the property Optional. Valid values: a non-negative integer. Default value: |
|
Enables or disables the migration of policies and credentials for applications deployed on a WebLogic Server. Valid only for the WebLogic Server. Set to TRUE to disable the migration of application policies and credentials for all applications deployed on the server regardless of the particular application settings in the application file weblogic-application.xml. Optional. Valid values: Default value: |
|
Enables or disables the hybrid mode. When hybrid mode is enabled, the OPSS policy provider reads from java.policy, weblogic.policy, and the policy store configured in jps-config.xml. Optional. Valid values: Default value: |
|
Controls the use of the map type. The map type is used to hold some structures in a special cache so that they are not garbage-collected by the Java Virtual Machine. If set to If set to See related properties Optional. Valid values: Default value: |
|
Specifies the number of milliseconds after which group membership changes are in effect. This value must be kept in sych with the value of the WebLogic authenticator Optional. Valid values: any positive integer. Default value: |
|
Controls the number of subjectmap entries kept in memory. Each entry corresponds with TTL information about a subject. For this setting to take effect, the property Optional. Valid values: a non-negative integer. Default value: |
|
Specifies the path to the domain configuration files Required. No default value. |
|
Specifies the path to the directory of a code source URL. Optional. No default value. |
|
Specifies the extension of code source URL. Optional. No default value. |
|
Logs the name of an application role that contains a specified substring; if the substring to match is unspecified, it logs all application role names. Optional. No default value. For an example of use and further details, see Section K.1.2.3, "Debugging the Authorization Process." |
oracle.security.jps.log.for.permeffect |
Logs a grant that was granted or denied according to a specified value; if the value is unspecified, it logs all grants (regardless whether they were granted or denied). Optional. No default value. For an example of use and further details, see Section K.1.2.3, "Debugging the Authorization Process." |
oracle.security.jps.log.for.permclassname |
Logs the name of the permission class that matches exactly a specified name; if the name to match is unspecified, it logs all permission class names. Optional. No default value. For an example of use and further details, see Section K.1.2.3, "Debugging the Authorization Process." |
oracle.security.jps.log.for.permtarget.substring |
Logs the name of a permission target that contains a specified substring; if the substring to match is unspecified, it logs all permission targets. Optional. No default value. For an example of use and further details, see Section K.1.2.3, "Debugging the Authorization Process." |
oracle.security.jps.log.for.enterprise.principalname |
Logs the name of the principal (enterprise user or enterprise role) that matches exactly a specified name; if the name to match is unspecified, it logs all principal names. Optional. No default value. For an example of use and further details, see Section K.1.2.3, "Debugging the Authorization Process." |
wlst.offline.log |
Specifies the location of the log file when running offline WLST commands. Optional. No default value. Valid values: <filename>, stdout, strerr, disable. |
wlst.offline.log.priority |
Specifies the level of the notification. Optional. No default value. Valid values: OFF, SEVERE, WARNING, INFO , CONFIG, FINE, FINER, FINEST, ALL, debug, info, warn, error, fatal. |
opss.audit.logDirectory |
Specifies the location of the OPSS audit log files for Java SE applications if it is not set in Optional. No default value. Valid values: Any writeable directory. |
This section describes the properties of various instances in the following sections:
Table F-2 describes the OPSS properties common to all services (except trust service).
Name | Description |
---|---|
The following properties are valid in both Java EE and Java SE applications |
|
|
The key for the password credentials to access the OID store, stored in the bootstrap wallet. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Required. No default value. The out-of-the-box value is |
|
The map for the password credentials to access the OID store, stored in the bootstrap wallet. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Required. Default value: |
|
The URL of the JBDC. Valid in Java SE and Java EE applications. Applies to only DB stores. Required. No default value. Value example: |
|
The URL of the OID security store, with the format Valid in Java EE and Java SE applications. Applies only to OID stores. Required. No default value. |
|
The RDN format of the domain node in the OID store. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Required. No default value. |
|
The RDN format of the root node in the OID store. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Required. No default value. |
|
The maximum number of permission collections allowed in the cache per protection domain and request permission class. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: 5000 |
|
The type of the policy store. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Required. No default value. Values: |
The following properties are valid in Java EE applications only |
|
|
The JNDI name of the JDBC data source instance. Valid in Java EE applications only. Applies to only DB stores. Required. No default value. |
|
The number of retry attempts. Valid in Java EE applications only. Applies to only DB stores. Optional. Default value: 3 |
|
The number of seconds between retry attempts. Valid in Java EE applications only. Applies to only DB stores. Optional. Default value: 15 |
|
Specify the credential's map and key for the Weblogic DB user/password. They apply only when Valid in Java EE applications only. Applies to only DB stores. Optional. Default value: none. |
|
Specifies where to find the map and key for the WebLogic DB user/password. This property is automatically set when reassociating to a DB-based store. Valid in Java EE applications only. Applies to only DB stores. Optional. Valid values: Default value: If Otherwise, if |
The following properties are valid in Java SE applications only |
|
|
The clear text name of the principal to use instead of the user name specified in the bootstrap. Used in developments environments only. Valid in Java SE applications only. Applies to OID and DB stores. Optional. No default value. |
|
The clear text password for the security principal to use instead of the password specified in the bootstrap. Not recommended. Valid in Java SE applications only. Applies to OID and DB stores. Optional. No default value. |
|
The JDBC driver. Valid in Java SE applications only. Applies to only DB stores. Required. No default value. Value example: |
The policy store properties are described in the following sections:
The policy store provider class that can be used with OID-based or DB-based instances is the following:
oracle.seurity.jps.internal.policystore.ldap.LdapPolicyStoreProvider
Table F-3 describes the properties specific to policy store instances. The properties are listed in three blocks according to the kind of application they can be used in. Additional properties are listed in Common Properties.
Table F-3 Policy Store Properties
Name | Description |
---|---|
|
Controls the throwing of exceptions if any of the following checks fail:
If set to If set to Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: Valid values: |
The following fragment illustrates the configuration of an OID-based policy store instance for a Java EE application:
<propertySet name="props.ldap.1"> <property name="java.naming.ldap.derefAliases" value="never"/> <property name="bootstrap.security.principal.key" value="bootstrap_6aCNhgRM3zF04ToliwecdF6K3oo="/> <property name="oracle.security.jps.farm.name" value="cn=compact1_oid26008"/> <property name="server.type" value="OID"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="ldap.url" value="ldap://myComp.com:2020"/> </propertySet> <serviceProvider type="POLICY_STORE" name="policystore.provider" class="oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider"/> <serviceInstance name="policystore.ldap" provider="policystore.provider"> <propertySetRef ref="props.ldap.1"/> </serviceInstance>
The following fragment illustrates the configuration of an OID-based policy store instance for a Java SE application:
<serviceInstance name="policystore.oid" provider="policy.oid"> <property value="OID" name="server.type"/> <property value="bootstrap" name="bootstrap.security.principal.key"/> <property name="ldap.url" value="ldap://myHost.com:1234"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsNode"/> <property name="oracle.security.jps.farm.name" value="cn=domain1"/> </serviceInstance>
For additional configurations samples for Java SE applications, see Section 24.5, "Configuration Examples."
The following fragment illustrates the configuration of DB-based stores (including an instance of a runtime service provider) for a Java EE application:
<jpsConfig> ... <propertySets> <!-- property set props.db.1 common to all DB services --> <propertySet name="props.db.1"> <property name="jdbc.url" value="jdbc:oracle:thin@xxx.com:1521:orcl"/> <property name="datasource.jndi.name" value="opssds"/> <property value="cn=farm" name="oracle.security.jps.farm.name"/> <property value="cn=jpsroot" name="oracle.security.jps.ldap.root.name"/> <property value="dsrc_lookup_key" name="bootstrap.security.principal.key"/> <property value="credential_map" name="bootstrap.security.principal.map"/> </propertySet> </propertySets> <serviceProviders> <serviceProvider class="oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider" type="POLICY_STORE" name="rdbms.policystore.provider" > <description>RDBMS based PolicyStore provider</description> </serviceProvider> <serviceProvider type="KEY_STORE" name="keystore.provider" class="oracle.security.jps.internal.keystore.KeyStoreProvider"> <description>PKI Based Keystore Provider</description> <property name="provider.property.name" value="owsm"/> </serviceProvider> <serviceProvider name="pdp.service.provider" type="PDP" class="oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider"> <description>OPSS Runtime Service provider</description> </serviceProvider> </serviceProviders> <serviceInstances> <serviceInstance name="policystore.rdbms" provider="rdbms.policystore.provider"> <property value="DB_ORACLE" name="server.type"/> <propertySetRef ref = "props.db.1"/> <property name="session_expiration_sec" value="60"/> <property name="failover.retry.times" value="5"/> </serviceInstance> <serviceInstance name="credstore.rdbms" provider="rdbms.credstore.provider"> <propertySetRef ref = "props.db.1"/> </serviceInstance> <serviceInstance name="keystore.rdbms" provider="rdbms.keystore.provider"> <propertySetRef ref = "props.db.1"/> <property name="server.type" value="DB_ORACLE"/> </serviceInstance> <serviceInstance name="pdp.service" provider="pdp.service.provider"> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="permissionSm"/> <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="true"/> <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity" value="500"/> <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage" value="10"/> <property name="failover.retry.times" value="5"/> <property name="failover.retry.interval" value="20"/> <property name="oracle.security.jps.policystore.purge.timeout" value="30000"/> <propertySetRef ref = "props.db.1"/> </serviceInstance> </serviceInstances> <jpsContexts default="default"> <jpsContext name="default"> <serviceInstanceRef ref="pdp.service"/> <serviceInstanceRef ref="policystore.rdbms"/> <serviceInstanceRef ref="credstore.rdbms"/> <serviceInstanceRef ref="keystore.rdbms"/> </jpsContext> </jpsContexts> ... </jpsConfig>
The following fragment illustrates the configuration of a DB-based policy store instance for a Java SE application:
<serviceInstance name="policystore.rdbms" provider="policy.rdbms"> <property name="server.type" value="DB_ORACLE"/> <property name="jdbc.url" value="jdbc:oracle:thin:@xxx.com:1722:orcl"/> <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/> <property name="bootstrap.security.principal.key" value="bootstrap_DWgpEJgXwhDIoLYVZ2OWd4R8wOA=" /> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="oracle.security.jps.farm.name" value="cn=view_steph.atz"/> </serviceInstance>
For additional configurations samples for Java SE applications, see Section 24.5, "Configuration Examples."
The runtime policy store provider class that can be used with OID- or DB-based instances is the following:
oracle.seurity.jps.az.internal.runtime.provider.PDPServiceProvider
Table F-4 lists the runtime properties of policy store instances.
Table F-4 Runtime Policy Store Properties
Name | Description |
---|---|
|
The type of the role member cache. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values:
Default value: |
|
The type of strategy used in the role member cache. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values:
Default value: |
|
The number of the roles kept in the member cache. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: 1000. |
|
Enables or disables the policy lazy load. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values: Default value: |
|
The type of strategy used in the permission cache. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values:
Default value: |
|
The number of grants kept in the permission cache. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: 1000. |
|
Enables or disables the policy store refresh. If this property is set, then Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values: Default value: |
|
Enables or disables the refresh of the cache. If this property is set, then Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values: Default value: |
|
The time, in milliseconds, after which the policy store cache is purged. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: 43200000 (12 hours). |
|
The interval, in milliseconds, at which the policy store is polled for changes. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: 600000 (10 minutes). |
|
The number of user's permissions after which the permission cache is invalidated. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: 50. |
|
Controls the way the ApplicationRole membership cache is created. If set to TRUE, the cache is created at server startup; otherwise, it is created on demand (lazy loading). Set to TRUE when the number of users and groups is significantly higher than the number of application roles; set to FALSE otherwise, that is, when the number of application roles is very high. Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Valid values: Default value: |
|
The folder for temporary storage. Valid in Java EE and Java SE applications. Applies to XML, OID, and DB stores. Optional. Default value: the system temporary folder. |
|
Specifies whether the authorization cache should be enabled. Valid in Java EE and Java SE applications. Applies to XML, OID, and DB stores. Optional. Valid values: Default value: |
|
The percentage of sessions to drop when the eviction capacity is reached. Valid in Java EE and Java SE applications. Applies to XML, OID, and DB stores. Optional. Default value: 10 |
|
The maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in Java EE and Java SE applications. Applies to XML, OID, and DB stores. Optional. Default value: 500 |
|
The number of seconds during which session data is cached. Valid in Java EE and Java SE applications. Applies to XML, OID, and DB stores. Optional. Default value: 60 |
|
Controls the throwing of exceptions if any of the following checks fail:
If set to If set to Valid in Java EE and Java SE applications. Applies to OID and DB stores. Optional. Default value: Valid values: |
oracle.security.jps.policystore.refresh.purge.timeout |
Specifies the time out interval in milliseconds at which the cache is refreshed. Recommended when a large number of users is accessing the application concurrently. Valid in Java EE and Java SE applications. Applies to OID, and DB stores. Optional. No default value. Setting example: <property name="oracle.security.jps.policystore.refresh.purge.timeout" @ value="200000"/> |
oracle.security.jps.ldap.policystore.refresh.interval |
Specifies the time interval in milliseconds at which the cache is refreshed. Recommended when a large number of users is accessing the application concurrently. Valid in Java EE and Java SE applications. Applies to OID, and DB stores. Optional. No default value. Setting example: <property name="oracle.security.jps.ldap.policystore.refresh.interval" @ value="300000"/> |
Table F-5 lists the properties specific to credential store instances. Additional properties are listed in Common Properties.
Table F-5 Credential Store Properties
Name | Description |
---|---|
|
Specifies whether to encrypt credentials. Valid in Java EE and Java SE applications. Applies only to file and OID stores. Valid values: Optional. Default value: |
The following fragment illustrates the configuration of a credential store in a Java EE application:
<propertySet name="props.ldap.1"> <property name="java.naming.ldap.derefAliases" value="never"/> <property name="bootstrap.security.principal.key" value="bootstrap_6aCNhgRM3zF04ToliwecdF6K3oo="/> <property name="oracle.security.jps.farm.name" value="cn=compact1_oid26008"/> <property name="server.type" value="OID"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="ldap.url" value="ldap://myComp.com:2020"/> </propertySet> <serviceProvider type="CREDENTIAL_STORE" name="ldap.credentialstore.provider" class="oracle.security.jps.internal.credstore.ldap.LdapCredentialStoreProvider"/> <serviceInstance name="credstore.ldap" provider="ldap.credentialstore.provider"> <propertySetRef ref="props.ldap.1"/> </serviceInstance>
Table F-6 lists the properties of LDAP-based identity store instances. Extended properties are explicitly stated. User and Role API properties corresponding to a property are also stated.
Table F-6 LDAP-Based Identity Store Properties
Name | Description |
---|---|
|
The type of the identity store. Valid in Java SE and Java EE applications. Required Valid values:
If using a custom authenticator, the service instance configuration must include one of the following properties: <property name="idstore.type" value="<your-idstore-type>" <property name="ADF_IM_FACTORY_CLASS" value="<your-IDM-FACTOY_CLASS_NAME>" Corresponding User and Role API property: ADF_IM_FACTORY_CLASS |
|
The LDAP URL value. Valid in Java SE and Java EE applications. Required. No default value. Value example: Corresponding User and Role API property: ADF_IM_PROVIDER_URL |
|
The user search base for the LDAP server in DN format. Extended property. Valid in Java SE and Java EE applications. Required. No default value. Value example: Corresponding User and Role API property: USER_SEARCH_BASES |
|
The group or enterprise search base for the LDAP server in DN format. Extended property. Valid in Java SE and Java EE applications. Required No default value. Value example: Corresponding User and Role API property: ROLE_SEARCH_BASES |
|
The idstore provider class. Valid only in Java EE applications. Required The only supported value is: oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider |
|
The base DNs used to create groups or enterprise roles. Extended property. Valid in Java EE and Java SE applications. Required to allow writing operations with the User and Role API. Otherwise, optional. Value example of a single DN: <extendedProperty> <name>group.create.bases</name> <values> <value>cn=groups,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_CREATE_BASES |
|
The base DNs used to create users. Extended property. Valid in Java EE and Java SE applications. Required to allow writing operations with the User and Role API. Otherwise, optional. Value example of a single DN: <extendedProperty> <name>user.create.bases</name> <values> <value>cn=users,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> Corresponding User and Role API property: USER_CREATE_BASES |
|
The fully qualified names of object classes used to search enterprise roles and groups. Extended property. Valid in Java EE and Java SE applications. Optional. Value example: Corresponding User and Role API property: ROLE_FILTER_OBJECT_CLASSES |
|
The attributes that must be specified when creating enterprise roles or groups. Extended property. Valid in Java EE and Java SE applications. Optional. Value example: <extendedProperty> <name>group.mandatory.attrs</name> <values> <value>cn</value> <value>objectClass</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_MANDATORY_ATTRS |
|
The attribute of a static role that specifies the distinguished names (DNs) of the members of an enterprise role or group. Extended property. Valid in Java EE and Java SE applications. Optional. Value example: <extendedProperty> <name>group.member.attrs</name> <values> <value>uniqueMember</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_MEMBER_ATTRS |
|
The fully qualified names of one or more schema object classes used to represent enterprise roles or groups. Extended property. Valid in Java EE and Java SE applications. Optional. Value example: <extendedProperty> <name>group.object.classes</name> <values> <value>top</value> <value>groupOfUniqueNames</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_OBJECT_CLASSES |
|
The base DNs for creating enterprise roles or groups. Valid in Java EE and Java SE applications. Optional. Value example: Corresponding User and Role API property: ROLE_SELECTED_CREATEBASE |
|
The attribute that uniquely identifies the name of the enterprise role or group. Valid in Java EE and Java SE applications. Optional. Value example: Corresponding User and Role API property: ROLE_NAME_ATTR |
|
The base DNs for searching enterprise roles or groups. Valid in Java EE and Java SE applications. Optional. Value example: |
|
The maximum number of characters of the search filter. Valid in Java EE and Java SE applications. Optional. Value: a positive integer. Corresponding User and Role API property: MAX_SEARCHFILTER_LENGTH |
|
The type of search to employ when the repository is queried. Valid in Java EE and Java SE applications. Optional. Valid values: Corresponding User and Role API property: IDENTITY_SEARCH_TYPE |
|
The fully qualified names of object classes used to search users. Extended property. Valid in Java EE and Java SE applications. Optional. Value example: Corresponding User and Role API property: USER_FILTER_OBJECT_CLASSES |
|
The login identity of the user. Valid in Java EE and Java SE applications. Optional. Value example:
Corresponding User and Role API property: USER_LOGIN_ATTR |
|
The attributes that must be specified when creating a user. Extended property. Valid in Java EE and Java SE applications. Optional. Value example: <extendedProperty> <name>user.mandatory.attrs</name> <values> <value>cn</value> <value>objectClass</value> <value>sn</value> </values> </extendedProperty> Corresponding User and Role API property: USER_MANDATORY_ATTRS |
|
The fully qualified names of the schema classes used to represent users. Extended property. Valid in Java EE and Java SE applications. Optional. Corresponding User and Role API property: USER_OBJECT_CLASSES |
|
The LDAP attribute that uniquely identifies the name of the user. Valid in Java EE and Java SE applications. Optional. Corresponding User and Role API property: USER_NAME_ATTR |
|
The name of the system hosting the identity store. Valid in Java EE and Java SE applications. Optional. |
|
The default realm for the identity store. Valid in Java EE and Java SE applications. Optional. Value example: Corresponding User and Role API property: ADF_IM_SUBSCRIBER_NAME |
|
Controls the authenticators where search and modifications are allowed; if set to TRUE, searching and modifying is available in all configured authenticators; otherwise, if set to FALSE, searching and modifying is available in only the first authenticator in the configured stack. Set to TRUE if you intend to use the User and Role API to search or write information in all authenticators. Valid in Java EE and Java SE applications. Optional. Valid values: Default value: Value example:
|
Note:
If the authenticator attributeusername
is changed (because, for example, of post-provisioning or migrating from a test to a production environment), then the identity store service parameter username.attr
in the identity store service must also be changed accordingly. Those two values should be kept equal.The following fragment illustrates the configuration of an OID-based identity store for a Java SE application:
<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider"> <property name="idstore.type" value="OID"/> <property name="ldap.url" value="ldap://myHost.com:1234"/> <extendedProperty> <name>user.search.bases</name> <values> <value>cn=users,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> <extendedProperty> <name>group.search.bases</name> <values> <value>cn=groups,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> </serviceInstance>
Table F-7 lists properties common to all OID-based stores that can be specified in any service instance.
In the case of an OID-based identity store service instance, to ensure that the User and Role API picks up the connection pool properties when it is using the JNDI connection factory, the identity store service instance must include the following property:
<property name="INITIAL_CONTEXT_FACTORY" value="com.sun.jndi.ldap.LdapCtxFactory"/>
Table F-7 Generic OID Properties
Name | Description |
---|---|
|
Specifies the type of OID connection that the JNDI connection pool uses. Valid in Java EE and Java SE applications. Optional. Values: Default value: |
|
Specifies the maximum number of connections in the OID connection pool. Valid in Java EE and Java SE applications. Optional. Value example: 30 |
|
Specifies the minimum number of connections in the OID connection pool. Valid in Java EE and Java SE applications. Optional. Value example: 5 |
|
Specifies the protocol to use for the OID connection. Valid in Java EE and Java SE applications. Optional. Values: Default value: |
|
Specifies the connection pool to use. Valid in Java EE and Java SE applications. Optional. Values: Default value: |
|
Specifies the number of milliseconds that an idle connection can remain in the pool; after timeout, the connection is closed and removed from the pool. Valid in Java EE and Java SE applications. Optional. Default value: 300000 (5 minutes) |
|
Specifies the maximum number of retry attempts if there are problems with the OID connection. Valid in Java EE and Java SE applications. Optional. Value example: 5 |
The following fragment illustrates a configuration of several properties:
<jpsConfig ... > ... <!-- common properties used by all LDAPs --> <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/> <property name="oracle.security.jps.ldap.root.name" value="cn=OracleJpsContainer"/> <property name="oracle.security.jps.ldap.max.retry" value="5"/> ... </jpsConfig>
Table F-8 lists the properties that can be used to configure file-, OID-, or DB-based anonymous users, anonymous roles, and authenticated roles.
Table F-8 Anonymous and Authenticated Roles Properties
Name | Description |
---|---|
|
Specifies a description of the anonymous role. Valid in Java EE and Java SE applications. Optional. No default value. |
|
Specifies the name of the principal in the anonymous role. Valid in Java EE and Java SE applications. Optional. Default value: |
|
Specifies the name of the anonymous role. Valid in Java EE and Java SE applications. Optional. Default value: |
|
Specifies the name of the principal in the anonymous user. Valid in Java EE and Java SE applications. Optional. Default value: |
|
Specifies a description of the authenticated role. Valid in Java EE and Java SE applications. Optional. No default value. |
|
Specifies the name of the principal in authenticated user roles. Valid in Java EE and Java SE applications. Optional. Default value: |
|
Specifies the name of the authenticated role. Valid in Java EE and Java SE applications. Optional. Default value: |
|
Specifies whether the anonymous role should be removed from the subject after a user is authenticated. Valid in Java EE and Java SE applications. Optional. Valid values: Default value: |
Table F-9 lists the properties specific to the trust service.
Table F-9 Trust Service Properties
Name | Description |
---|---|
|
Specifies the type of the trust service store: JKS or KSS. Valid in Java EE and Java SE applications. Optional. Valid values: Default: none. When unspecified, if a KSS store is already provisioned, then the value is set to |
|
Applies only when kss://<stripeName>/<keyStoreName> Valid in Java EE and Java SE applications. Optional. Default: |
|
Applies only when kss://<stripeName>/<keyStoreName> Valid in Java EE and Java SE applications. Optional. Default: |
|
Specifies the alias to use to get an X.509 certificate and private key from the keystore. Valid in Java EE and Java SE applications. Optional. Default: the name of the WLS domain. |
|
Specifies the name to be included in the token. It is used by the destination trust service to pick up and validate the token. Valid in Java EE and Java SE applications. Optional. Default: the name of the WLS domain. |
|
Specifies the fully-qualified name of the trust provider class. Valid in Java EE and Java SE applications. Required. Value: |
|
Specifies, in seconds, the time-gap allowed when verifying time conditions. Valid in Java EE and Java SE applications. Optional. Default: 0. |
|
Specifies, in seconds, the time that a token remains valid after being issued. Valid in Java EE and Java SE applications. Required. Default: none. |
|
Specifies the map of the credential to access the keystore. Valid in Java EE and Java SE applications. Optional. Default: the value of the keystore instance property |
|
Applies only when Valid in Java EE and Java SE applications. Optional. Default: the value of the keystore instance property |
|
Applies only when Valid in Java EE and Java SE applications. Optional. Default: the value of the keystore instance property |
|
Specifies whether the SAML token includes a certificate. Valid in Java EE and Java SE applications. Required. Valid values: Default: |
The following sample illustrates the configuration of a trust service:
<propertySet name="trust.provider.embedded"> <property name="trust.provider.className" value="oracle.security.jps.internal.trust.provider.embedded.EmbeddedProviderImpl"/> <property name="trust.clockSkew" value="60"/> <property name="trust.token.validityPeriod" value="1800"/> <property name="trust.aliasName" value="orakey"/> <property name="trust.issuerName" value="orakey"/> <property name="trust.csf.map " value="my-csf-map"/> <property name="trust.csf.keystorePass" value="my-keystore-csf-key"/> <property name="trust.csf.keypass" value="my-signing-csf-key"/> </propertySet>
Table F-10 lists the properties specific to the audit service. Additional properties are listed in Common Properties.
Table F-10 Audit Service Properties
Property | Description | Required? | Values | Default Value |
---|---|---|---|---|
audit.filterPreset |
The level of auditing. |
no |
None, Low, Medium, or High |
None |
audit.customEvents |
For Custom, a list of audit events that should be audited. The events must be qualified using the component type. Commas separate events and a semicolon separates component types. Example: JPS:CheckAuthorization, CreateCredential; OIF:UserLogin |
no |
||
audit.specialUsers |
list of one or more users whose activity is always audited, even if filterPreset is None. Usernames that contain commas must be escaped properly. For example, when using Fusion Middleware Control, specify three users like this - "admin, fmwadmin, cn=test\,cn=user\,ou:ST\,L=RS\,c=is\," In setAuditPolicy(addSpecialUsers="cn=orcladmin\\\,cn=com") |
no |
||
audit.maxFileSize |
Controls the size of a bus stop file where audit events are written. Integer is in Bytes |
no |
104857600 |
|
audit.loader.interval |
Controls the frequency with which audit loader uploads to database. Integer is in Seconds. |
no |
15 seconds |
|
audit.loader |
Store type for the audit events. If type is Database (DB), also define audit.loader.jndi or JDBC property. |
yes |
File, DB |
File |
audit.loader.jndi |
JNDI name of the data source in application servers for uploading audit events into database. |
no |
jdbc/AuditAppendDataSource |
|
audit.db.principal.map / audit.db.principal.key |
The map and key for the JDBC user name and password credential in bootstrap credential store,when running in JavaSE, and repositoryType is DB. |
no |
||
audit.loader.jdbc.string |
The JDBC string for JDBC connection when running in JavaSE, and repositoryType is DB. |
no |
||
audit.logDirectory |
The base directory for bus-stop files. |
required for JavaSE |
jse |
|
audit.timezone |
Determines whether events are recorded in the Oracle WebLogic Server timestamp or in UTC. |
no |
utc, local |
utc |
audit.change.scanning. |
In a distributed environment with OID- or DB-based audit store, the audit service monitors each OPSS running instance for changes in audit runtime policies, and dynamically re-loads any cached policies. This property determines how frequently, in milliseconds, the service checks for any changes. |
no |
whole number greater than zero |
60000 (60 seconds) |
The following is an example of audit service configuration:
<serviceInstance name="audit" provider="audit.provider" location="./audit-store.xml"> <property name="audit.filterPreset" value="Medium"/> <property name="audit.loader.jndi" value="jdbc/AuditAppendDataSource"/> <property name="audit.loader.repositoryType" value="DB" /> <property name="server.type" value="DB_ORACLE"/> <property name="audit.timezone" value="local" /> </serviceInstance>
Table F-11 lists the properties specific to the keystore service. Additional properties are listed in Common Properties.
Table F-11 Keystore Service Properties
Property | Description | Required? | Values | Default |
---|---|---|---|---|
keystore.file.path |
Location of the file keystores.xml when file provider is configured |
Yes, if a file-based keystore provider is configured. |
- |
./ |
ca.key.alias |
Key alias within "system/castore" of the third party CA used for Keystore service instance |
No |
- |
- |
location |
Location of the keystore; can be absolute or relative path. |
Yes, if keystore.type is JKS.No, if keystore.type is PKCS11 or HSM (LunaSA) |
Path to keystore |
./default-keystore.jks |
keystore.type |
Type of keystore. |
No |
KSS, JKS, PKCS11, Luna |
JKS |
keystore.csf.map |
Credential store map name used by Oracle Web Services Manager. Used only by OWSM. |
No |
Credential store map name |
oracle.wsm.security |
keystore.pass.csf.key |
Credential store key that points to Keystore password. Used only by OWSM. |
No |
Credential store csf key name |
keystore-csf-key |
keystore.sig.csf.key |
Credential store key name that points to alias and password of signing key in keystore.For HSM, it is the direct key alias name rather than the credential store key name. Used only by OWSM. |
No |
Credential store csf key name or, for HSM, the direct alias |
sign-csf-key |
keystore.enc.csf.key |
Credential store key name that points to alias and password of encryption key in keystore.For HSM, it is the direct key alias name rather than the credential store key name. Used only by OWSM. |
No |
Credential store csf key name or, for HSM, the direct alias |
enc-csf-key |
The following is an example of Keystore Service configuration:
<propertySet name="props.ldap.1"> <property name="java.naming.ldap.derefAliases" value="never"/> <property name="bootstrap.security.principal.key" value="bootstrap_6aCNhgRM3zF04ToliwecdF6K3oo="/> <property name="oracle.security.jps.farm.name" value="cn=compact1_oid26008"/> <property name="server.type" value="OID"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="ldap.url" value="ldap://myComp.com:2020"/> </propertySet> <serviceProvider type="KEY_STORE" name="keystore.provider" class="oracle.security.jps.internal.keystore.KeyStoreProvider"> </serviceProvider> <serviceInstance name="keystore.ldap" provider="keystore.provider"> <propertySetRef ref="props.ldap.1"/> </serviceInstance>
The following is an example of Keystore Service configuration for an LDAP-based provider:
<serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks"> <description>Default JPS Keystore Service</description> <property name="server.type" value="OID"/> <property name="keystore.type" value="JKS"/> <property name="keystore.csf.map" value="oracle.wsm.security"/> <property name="keystore.pass.csf.key" value="keystore-csf-key"/> <property name="keystore.sig.csf.key" value="sign-csf-key"/> <property name="keystore.enc.csf.key" value="enc-csf-key"/> <property value="bootstrap" name="bootstrap.security.principal.key"/> <property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/> <property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/> <property value="ldap://myHost.com:1234" name="ldap.url"/> </serviceInstance>
The following is an example of Keystore Service configuration for an DB-based provider:
<propertySet name="props.db.1"> <property name="jdbc.url" value="jdbc:oracle:thin:@host:port:sid"/> <property name="oracle.security.jps.farm.name" value="cn=farm"/> <property name="server.type" value="DB_ORACLE"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsroot"/> <property name="jdbc.driver" value="oracle.jdbc.OracleDriver"/> <property name="bootstrap.security.principal.map" value="credendial_map"/> <property name="bootstrap.security.principal.key" value="credential_key"/> </propertySet> … … <serviceInstance name="keystore.rdbms" provider="keystore.provider" location="./default-keystore.jks"> <propertySetRef ref = "props.db.1"/> <property name="server.type" value="DB_ORACLE"/> <property name="keystore.type" value="JKS"/> <property name="keystore.csf.map" value="oracle.wsm.security"/> <property name="keystore.pass.csf.key" value="keystore-csf-key"/> <property name="keystore.sig.csf.key" value="sign-csf-key"/> <property name="keystore.enc.csf.key" value="enc-csf-key"/> </serviceInstance>